NANOREALITY GAMES – PRIVACY NOTICE (GLOBAL)

Last updated: March 31, 2026

1. Who we are (Data Controller)

Nanoreality Limited and Nanoreality Games (“Nanoreality”, “we”, “us”) are the controllers of the personal data described in this Privacy Notice.

Nanoreality Limited

Registered office: Sokratous Str, 2, Mesa Yeitonia, 4006 Limassol, Cyprus
Company registration no.: 348166

Nanoreality Games

Registered office: Av. de la Industria 4, edif. 3A, Alcobendas 28108, Madrid, Spain
Company registration no.: B10641538

Contact (privacy): dataprotection@nanoreality.com

This Privacy Notice explains how we process personal data in our mobile games (including beta tests), websites, and related services (“Services”).

2. Scope and key principles

We aim to follow the GDPR and Spanish data protection rules (including the LOPDGDD) when we process data of users in the EEA/UK, and we apply these standards as our baseline globally.

We design our Services to collect the minimum personal data needed (“data minimisation”), to use it only for clear purposes, and to keep it only as long as necessary.

3. What personal data we process (typical for mobile games)

We do not require you to provide an email address, phone number, bank details, or your real name to play. However, we may process:

A. Identifiers and device / network data

  • Player / game identifiers (e.g., a random player ID created by the game)
  • Device identifiers and ad identifiers (e.g., Android Advertising ID / Apple IDFA, where permitted)
  • IP address, approximate location inferred from IP (e.g., country/city), language, time zone
  • Device and app information (device model, OS version, app version), crash logs and diagnostics

B. Gameplay and engagement data

  • Game progress and events (levels, actions, session duration, in-game interactions)
  • In-app ads interactions (views, clicks, attribution signals)
  • Fraud / security signals (e.g., abnormal activity patterns)

C. Purchase-related data (if you make in-app purchases)

We do not receive your card/bank details from Google Play / Apple App Store. We may receive limited purchase metadata such as transaction IDs, purchase timestamps, item IDs, and receipt/validation tokens needed to verify the purchase.

D. Communications (only if you contact us)

Messages you send via in-app support or other channels, and any information you choose to include.

E. Cookies / SDK data (websites and in-app SDKs)

Our websites and in-app SDKs may store or access information on your device (cookies/SDK identifiers) for essential functions, measurement, and (where you choose) personalisation and advertising.

Special categories of data: We do not intentionally collect special categories of data (e.g., health, biometrics, political opinions). Please do not provide such data to us.

4. Where we get the data

  • From you (only if you contact support or provide optional inputs)
  • Automatically from your device when you use the Services (game telemetry, device/app info)
  • From partners involved in app distribution, ads, analytics, and attribution (see Section 7)

5. Why we process your data (purposes) and our legal bases (GDPR)

We use the following purposes and legal bases, with GDPR as our baseline:

Purpose 1 – Provide and operate the game (save progress, core gameplay, essential features)

Legal basis: Performance of a contract with you (GDPR Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)) for essential service operation.

Purpose 2 – Provide customer support and respond to requests

Legal basis: Contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)).

Purpose 3 – Security, fraud prevention, cheating detection, and abuse moderation

Legal basis: Legitimate interests (Art. 6(1)(f)) and, where applicable, legal obligations (Art. 6(1)(c)).

Purpose 4 – Analytics and service improvement (product performance, bug fixing, balancing)

Legal basis:

  • EEA/UK: Consent where required for storage/access to device information via cookies/SDKs, including analytics identifiers; otherwise legitimate interests for strictly necessary, privacy-preserving measurement (aggregated, without unique identifiers).
  • Outside EEA/UK: as permitted by local law.

(See Section 6 for cookie/SDK rules and controls.)

Purpose 5 – Advertising and monetisation (showing ads, measuring performance, preventing ad fraud)

Legal basis:

  • EEA/UK: Non-personalised/contextual ads and fraud prevention: legitimate interests (Art. 6(1)(f)).
  • Personalised ads / ad personalisation: your consent (Art. 6(1)(a)) where required, including where cookies/SDKs are used.

Purpose 6 – Legal compliance, accounting, and defending legal claims

Legal basis: Legal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f)).

6. Cookies, SDKs, and similar technologies (ePrivacy / Spain)

Websites and in-app SDKs may store/access information on your device. In Spain, this generally requires prior consent unless the storage/access is strictly necessary for providing the service you requested.

We use categories such as:

  • Strictly necessary: security, load balancing, basic app functionality, consent storage.
  • Measurement/analytics: aggregate performance and usage measurement.
  • Advertising and attribution: measuring installs, ad delivery and frequency capping; personalised ads where enabled.

Your choices:

  • In-app: we will present a consent prompt (or settings) where required, letting you accept or reject non-essential SDK purposes.
  • Website: we will provide a cookie banner and preferences centre.

Banner design criteria (Spain):

We present “Accept” and “Reject” options with the same level of prominence, and we do not make rejecting harder than accepting.

7. Who we share data with (recipients)

We share data only as needed for the purposes above.

A. Service providers (processors) acting on our instructions (typical categories)

  • Cloud hosting and infrastructure providers (e.g., AWS / Google Cloud)
  • Analytics and attribution providers (e.g., AppsFlyer)
  • Data warehouse / BI (e.g., Snowflake) for internal analytics (pseudonymised where possible)
  • Support tooling providers (if used)

These providers process data under contract and data processing terms.

Service provider Use
AppsFlyer SDK / Analytics - mobile attribution & analytics
ironSource / Unity LevelPlay & Unity Ads SDK / Ad Network - ad mediation, monetisation, UA
Google Ads / AdMob (UA stack) Ad Network - user acquisition, monetisation
AWS Cloud infrastructure - hosting, backend, analytics
Google Cloud Platform Cloud infrastructure - servers, data processing
Snowflake Data warehouse - analytics / BI
Yodo1 SDK / Ad Mediation - mobile game monetization, single SDK for multiple ad networks
Meta (Facebook Audience Network / Ads) SDK / Ad Network - mobile attribution, UA, monetization via Audience Network SDK and Ads platform

B. Advertising and monetisation partners (often independent controllers)

Ad networks, ad mediation, and measurement partners (e.g., Unity/ironSource, Google/AdMob) may process certain identifiers and events under their own policies. Where required, we collect and pass your consent signals.

C. App stores and payment platforms

Google Play and (when used) Apple App Store are separate controllers for payment and store account data. We receive only limited purchase verification data.

D. Professional advisers and authorities

Lawyers, auditors, and regulators where necessary for compliance or legal claims.

E. Corporate transactions

If we are involved in a merger, acquisition, or sale, data may be shared subject to confidentiality and lawful safeguards.

8. International data transfers

We may process data outside the EEA (e.g., where a provider hosts globally). Where GDPR applies, we use appropriate safeguards such as:

  • EU adequacy decisions; or
  • Standard Contractual Clauses (SCCs) plus supplementary measures where needed.

9. Retention (how long we keep data)

We keep personal data only as long as necessary for the purposes described, then delete or anonymise it.

Data Category Retention Period Legal Basis
Game telemetry and analytics (progress, events, sessions) 13 months raw; indefinite for aggregated/anonymized Legitimate interests (service improvement); Art. 6(1)(f) GDPR.
Crash logs and diagnostics 90 days Contract/Legitimate interests; Art. 6(1)(b)/(f).
Fraud/security/cheating logs 24 months (high-risk: up to 7 years) Legitimate interests/Legal obligations; Art. 6(1)(f)/(c).
Support tickets/communications 24 months post-closure Contract/Legitimate interests; Art. 6(1)(b)/(f).
Purchase verification records (transaction IDs, receipts) 6 years Legal obligation; Art. 6(1)(c).
Device/ad identifiers (IDFA, AAID) Tied to purpose (e.g., 13 months ads) Consent/Legitimate interests; Art. 6(1)(a)/(f).

We do not require players to create a traditional account with a name, email address, or phone number to use the game. Instead, we generate a unique Player ID and process limited device, gameplay, diagnostic, and advertising/analytics identifiers to operate, secure, improve, and monetize the game.

To request deletion of data associated with your Player ID, use the Privacy or Support option in Settings and include the Player ID shown in the game. If certain data is stored only on your device, you may also delete it by clearing app data or uninstalling the game. If we maintain server-side records associated with your Player ID, we will delete or de-identify them subject to legal, security, fraud-prevention, and backup-retention exceptions.

10. Your rights

Depending on your location and the law that applies, you may have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase data (“right to be forgotten”)
  • Restrict processing
  • Data portability (where applicable)
  • Object to processing based on legitimate interests (including certain analytics/marketing)
  • Withdraw consent at any time (without affecting processing done before withdrawal)
  • Lodge a complaint with a supervisory authority

How to exercise rights:

Contact us at dataprotection@nanoreality.com or via in-app support. We may need to verify your request. If you do not have an account, we will use reasonable methods to identify your game profile (e.g., player ID shown in settings).

Complaints:

If you are in Spain, you can complain to the Spanish Data Protection Authority (AEPD). If you are in Cyprus, you may complain to the Office of the Commissioner for Personal Data Protection.

If you are a California resident, and the CCPA applies to our business and processing, you may have the right to request access to, correction of, deletion of, and information about the sale or sharing of personal information associated with your Player ID, subject to applicable exceptions. We describe the categories of personal information we collect, the purposes for which we use it, and whether it is sold or shared in our Notice at Collection / Privacy Policy.

11. Automated decision-making, profiling, and use of AI

Profiling/analytics

We use behavioural analytics to understand gameplay and improve the Service. We may also segment users for advertising measurement and fraud prevention.

No solely automated decisions with significant effects

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing (e.g., permanent account suspension) without human review. If this changes, we will update this notice and explain the logic, significance, and consequences.

Use of AI

We may use automated tools (including AI-assisted systems) to:

  • detect anomalies/fraud,
  • classify crash reports,
  • help generate internal insights from aggregated telemetry, and
  • support our customer support team (e.g., drafting response suggestions).

If we use third-party AI providers, we aim to minimise data and avoid sending direct identifiers; we configure services to process data only under our instructions and not to train their general models using our data, where available.

12. Children / minors

Our Services are intended for a general audience and are not directed to children under 13. We do not knowingly collect personal data from children under 13 without any consent required by applicable law. If we learn that we have collected personal data from a child in a manner that requires parental consent and we did not obtain it, we will delete or de-identify that data.

Where local law requires parental authorisation for consent-based processing for older minors, we will seek the required consent or disable those optional features. However, we comply with applicable rules:

  • US (COPPA): Not for children under 13; if we learn of data collection from under 13 without verifiable parental consent, we delete it.
  • EEA (GDPR Art. 8): Parental authorisation needed for consent where user under MS age (e.g., 14 in Spain per LOPDGDD, Cyprus - 14, Poland and Sweden - 13).
  • Other: Equivalent protections (e.g., UK under 18 high-privacy defaults).

Do not provide data if under limits. Contact us to request deletion.

13. Security

We use organisational and technical measures designed to protect personal data, such as access controls, encryption in transit, least-privilege access, logging/monitoring, and vendor due diligence. No method of transmission or storage is 100% secure.

14. Changes to this Privacy Notice

We may update this notice to reflect changes in our practices, technology, or legal requirements. We will post the updated version in the app and/or on our website. For material changes, we will provide additional notice where required.

15. Contact

Privacy email: dataprotection@nanoreality.com
Postal address: Nanoreality Games SL, Av de la Industria 4, Ed 3A, pl. 3, 28108 Alcobendas